Back to skill

Security audit

Google Health

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with the main caution that its OAuth setup documentation under-explains how to protect a locally stored client secret.

Before installing, check where config.json will live, keep it out of source control and backups you do not trust, restrict it to your user account, and rotate the OAuth client secret if you think it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place an OAuth client ID and client secret into a local config.json file, but provides no explicit guidance on secure storage, file permissions, avoiding source control, or secret leakage. While this is a personal desktop OAuth client and not a server credential, the client secret is still sensitive and careless handling can expose the OAuth app configuration or enable misuse if the file is copied, backed up insecurely, or committed to a repository.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.